ERM's Wave of Change: Part II

ERM's Wave of Change: Part II
by Sam Phillips

The second part of a panel discussion on the changes ERM is creating in the actuarial and business worlds.

This first part of this discussion appeared in the December/January issue of The Actuary. Topics covered included: the difference between ERM now and risk management of the past, the transformation of the CRO role due to ERM and more. You can find the first part of this series on the SOA Web site at: www., Research & Publications, The Actuary Magazine, December 2005, ERM's Wave of Change: Part I.

Gaetano Geretto moderated the discussion. The panelists included Sim Segal, Grant Hardy, Dave Ingram and Doug Brooks.

Gaetano: Many thanks again for agreeing to be with us for Part II of our panel discussion on Enterprise Risk Management (ERM). We left off discussing the impact that culture has on the ERM process, specifically with regard to stimulating awareness about risk in the organization. So, let's build on that because it ties into the next question: How does ERM get treated at the business line level? Doug, you talked about tools and processes down in the business line, so why don't you start off first. Then, with Grant's experience in the business line level, why don't we have him come next.

Doug: First of all, again, the goal is to have the business accountable and own its own risk management. It's the business people that are the real risk managers; it's not necessarily the people with risk management in their title who do the key day–to–day risk management. It's really our jobs to make sure they have the tools, understanding, framework and so on to do that risk management. So in essence, it's the business people that have to do that. One of the slogans that was developed at Sun Life was: "Everyone is a Risk Manager." It's really that cultural element, making sure that that's where the ownership exists–at the business level.

Grant: I am seeing significant changes in our insurance operations over the last couple of years in terms of the way things are dealt with and partly that is the way that the organization is structured at the enterprise level. At RBC Financial Group, the core of the approval processes is centralized and therefore, the core of a lot of the decision–making, as I see it, would have been within our group risk management area. The rest of the organization was predominantly looked at as a sales and distribution organization. When you look at the insurance operations, many of us that have spent our careers in the insurance business probably viewing ourselves as being the manufacturer and therefore more like group risk management within our organizations. We may have predominantly dealt with third party distribution, so you would not have seen the same kind of control. Therefore, it is a big change in our organization from an insurance perspective where more of the review oversight is being placed into our group risk management for insurance that used to be in the business. It is that cultural change for the business people who have had a lot more independence, a more entrepreneurial approach to things and making the decisions, now having to go through an extra process that they did not have to do before.

Gaetano: Are they resisting?

Grant: Slowly changing. Sometimes faster than others, but it is changing. It is just such a different way of doing things, from my perspective, within this organization than most insurance people are used to.

Gaetano: My two cents from the past–Doug had mentioned their slogan: Everyone is a Risk Manager. At Gerling, we had a different slogan, which was: Risk Manage– ment is Everyone's Business. It is a challenge at the beginning to get people to understand that's the case, because people look at it from their own–I'll build on your point, Grant–their own perspective of how they're already evaluating risk, whether they're actuaries, underwriters or claims management professionals. They figure they're already in the game, but sometimes their interests are not aligned or they don't understand what the bigger picture is. Sim, perhaps you can add, from your experience with clients, how others are looking at this question.

Sim: I agree with Grant's and Doug's observations. It varies by company culture how this is looked at–whether this is seen as something as a corporate initiative that will go away and "just let me get back to the business of running my business," or accepted as a better way to run the business. If it's seen as something that's going to be separate and bolted on top of the business, that's not as effective. But, I've seen it done, and it's invigorating to see some entrepreneurial companies that initially shudder at the idea of corporate initiatives. Once they see how this is helping them do their jobs rather than getting in their way, they embrace it and it can be very effective. The ideal division of labor is that the business units, as the risk owners, provide the key inputs to the models and the risk assessments, and they make the decisions. The corporate area provides the policies and procedures, the support and the aggregation and reporting. Finally, internal audit provides assurance.

There are other important advantages that ERM offers. It helps you have a more explicit and effective risk governance structure, managing the expected volatility, which is the risk exposure, within an acceptable range, which is the risk appetite. In terms of the culture, the opportunity of Enterprise Risk Management, if it's done right, is to have a uniform language of risk across the entire company. ERM also helps with disclosures, for example, in terms of aligning the risk disclosures and the 10–K. Shareholders are the primary stakeholder for public companies, and you want to have disclosures that are appropriate. One way to see if there's misalignment is to look at your disclosures–the order in which the risks are disclosed, the context and the amount of text for each risk, etc. All these things send signals to investors as to what the company thinks are the most important risks. If they're not prioritized by those that have the most impact on shareholder value, the question is "why not?" Misalignment here can become a risk unto itself.

Gaetano: That's a good point, Sim. Dave, from your experience, before joining S&P, do you concur with Sim's comments or do you see a slightly different perspective?

Dave: I largely agree with Sim and think that the biggest value in ERM is getting people's attention focused differently. Getting that to be done in a way that has everybody recognizing that this adds to the value of the organization, rather than just adds to the cost of the organization, is the trick.

Gaetano: The next question is, "What are insurance companies currently doing in ERM?" We can combine that with, "What are some of the challenges insurance companies are facing in implementing ERM?" Grant, why don't you start.

Grant: There are so many different things going on. One of the things that we are spending a lot of time on is trying to get an assessment of economic capital and also diversification at the RBC Financial Group level, as opposed to just the insurance level and trying to bring that into the decision making process. The challenge is that most of your systems and structures may be more focused on regulatory capital. As you go forward in implementing this approach, you must remember that you cannot solely drive the decision making through economic capital. It is important to remember that there may be a number of other constraints that have to be included in the decision making process.

Also, it is important to recognize that economic capital and the calculations are continuing to evolve and that the view on regulatory capital may change at a slower pace. Therefore, you want to be very careful how you implement that into your pricing–particularly if your strategy in any market is to be a price leader. Otherwise, you could adopt strategies that may have very unintended consequences.

Another area of consideration is improving the focus on the reputation risk issue in the sale of life insurance products and then trying to place that in the context of the competitive environment–where you may be a little bit more advanced than the competition as it relates to your view of the reputation issues.

Gaetano: Could you elaborate on that point please?

Grant: If you are selling through third party distribution, there could be 20 companies that are dealing with the same distributors. You may have some concerns around the product and the product development that you want to reduce your risk on, yet you also have to take into consideration the competitive environment. You are obviously going to have to take a view on the risk/reward of the various components. It is difficult sometimes to be a leader in risk mitigation strategies and still be successful on the revenue side of your business. You have to pick your spots where you think it is absolutely necessary to make sure you are, and be there in those cases.

Gaetano: Is that a little bit different, Doug, than what you would be doing at Sun Life Financial or do you see it as being aligned?

Doug: I would say it's very similar in that some of the key areas that we're working on are the integration of an economic capital approach into the whole performance management capital allocation framework of the organization, and as Grant alluded to, appropriately reflecting that in pricing, etc., and really building that whole framework and recognizing the constraints that exist effectively from regulators, regulating agencies, etc. So, building that framework, we're certainly working with the regulators in Canada in terms of trying to ensure a consistent, longer–term approach to regulatory capital that hopefully is consistent with an economic approach that we would be using internally–as I said, we're working with the regulators on that. We're spending quite a bit of time on operational risk and reputational issues–finding ways to identify business practices and processes that could lead to reputational issues and proactively dealing with those. So, I'd say we're very much aligned with the types of things Grant was talking about.

Gaetano: Dave, we've heard a lot of talk about economic capital and Doug alluded to working with regulators on that front. Have you had any interactions with insurance entities in terms of having S&P opine on the definition of economic capital being used by the company in question.

Dave: We've started down a long path of trying to get our arms around what we're going to do with that common capital. We're taking a similar path there than what I've heard defined by Basil and perhaps by the regulators defining Solvency II. We're saying that a first step, before we start getting into details of economic capital, would be to ascertain that a company has a robust risk management process. We're doing this for many reasons, but the primary one is we're looking for the economic capital to be used as a forward looking indicator of risk and if there aren't risk control processes in place, the economic capital calculation is historic and doesn't have any predictive capabilities. So, once we have the process of determining that in place, we hope to look at what companies have done on economic capital in some detail and compare it to how we've defined capital needs of companies and our capital adequacies formula. We're not going into that with a definition of economic capital in mind. We have our own definition of risk capital that we've been using and that we're going to be reaffirming in an update soon. That may be different than some of the definitions of economic capital that have been floating around. We're not intending on prescribing one and we're definitely not intending on creating our own economic capital model.

Sim: Insurance companies have been doing ERM in various pieces for a long time. The CRO role is now an official title in many companies, but how the role functions and what it means varies widely. All companies have a long list of identified risks and they have heat maps that report the top risks to the board. Most companies are thinking about or starting to do economic capital. One of the challenges that Grant mentioned is the friction between economic capital and regulatory or rating agency capital. Working through that issue is one of the keys to success. The problem that we see is that a lot of ERM programs are stalling because they jumped in too quickly with economic capital. It was nice to hear Grant and Doug say that this needs to be integrated into the company processes–performance management, capital allocation and decision– making. This has to be thought through first–the framework and how it will be used and what the goals are. That is a big risk and a challenge for many companies. Another challenge is quantifying operational risk and having it defined in a way that is consistent so that all risks can be integrated.

It's interesting, regarding the economic capital versus regulatory or rating agency capital issue, there was a relevant article in Harvard Business Review on forecasting. The article was based on text from an old SOA exam. It discussed two basic ways of forecasting–inside view and outside view. The inside view is, "we're special, so we need to look at our risks internally, build it from the bottom up, measure our own risks and let's see where we are." The outside view is, "we're not that different from other companies, so let's take a bunch of companies that are similar, look at the risks for those companies, look at failures and so forth, do projections on that basis and adjust for the differences." The conclusion of the article was that, due to various management biases, for most projection efforts, the external view is superior, which is kind of a knock against the economic capital approach if it's done incorrectly. There are so many assumptions, you have to have a disciplined approach to the setting and changing of assumptions and set up incentives to allow that. Without that, you may fall prey to biases. This is what Dave and S&P are struggling with. They don't have the resources to check each individual company model with tremendous granularity. At the same time, they'd like to have a tool that looks across the entire industry and be able to relatively compare companies. This gets at the same inside view versus outside view issue. Individual company models typically use an inside view, whereas an industry–wide model would use an outside view.

Gaetano: That leads us nicely into the next set of questions about, "How does the life insurance industry compare to others in terms of ERM?" And, "Where is the future of this discipline?" Dave, considering that you're sitting in a much more objective perspective now, having been in consulting before and now at S&P, why don't you give us your view.

Dave: I'd have to say that my first reaction is to mention to you that I've probably been asked the question about risk management more than any other question–and not just relating to banks versus life insurance, but when I've traveled in Europe or Asia, how does European or Asian practice compare to U.S. or North American practice? I'm always curious about why people think that is important. The answer I like the best is not one that I've given; it's one that I heard someone else give, which is: particularly in comparing banks and insurance companies, is that the problem is so different the question is almost meaningless. Insurance companies have had much more complicated risk models for years than what banks may have now. But the banks, because they've had a simpler set of risks, have managed to make further steps in bringing all their models together. It's really an apples and oranges comparison. We're dealing with different things and we're both making a lot strides on it.

Gaetano: And where do you think the future of ERM is headed?

Dave: Right now I see it, particularly in insurance companies, which is where almost all of my perspective comes from, being developed in every direction at once. When we talked about what insurance companies are doing on that, if you went around the industry you'd find a few themes. But everybody seems to be appropriately concentrating on whatever their biggest weakness is right now. There's not enough communication of what people are developing that way, which is bad because people have to re–plow the same fields. But it's good in that there's a lot of original work that's being done that perhaps wouldn't be done if it were easier to just pick up what someone else is doing and copy it. In economic capital, yes, it is really chaotic right now. Everybody's defining it differently and calculating it differently, but I think it'll be a real creative process by the time that we, as an industry, get around to settling on a way of doing this, we will have had a lot of choices to look at.

Gaetano: Sim, what's your opinion on these issues?

Sim: That was an interesting point that Dave made. Economic capital approaches vary widely. Going through their own exercise, I think companies learn a lot in the process and that's a good thing. I think that in the future we'll see more companies using a value–based focus. With the technology we have now we are able to support the calculations, whether it's deterministic or stochastic, to look at the impact on shareholder value–that's what this should all be about. And often it's the operational risk that can do the most damage to shareholder value. The focus on shareholder value helps people back up and look at what the biggest risks are and focus their resources on those. My hope is that we move this process to really look at all risks, at how they impact shareholder value and managing it that way: from governance on through decision–making out the back end to disclosures. In the longer–term, there will be some level of convergence on approach between regulators, rating agencies and companies. In the near term, rather than focusing so much on questions like, "What should be the standard?" or "What will be reflected in my rating if I do A, B or C," management should focus more on "What are the risks to shareholders, and other stakeholders, and how do we protect them?" I think the company that's following that star will reap the benefits from rating agencies and regulators alike. Over time, I think stakeholders will demand more from companies, so companies that move now to develop their ERM programs will be happier down the road.

Grant: I would say that we are very well developed from the banking perspective on economic capital and I agree that it tends to be a simpler risk. Decision making at that level is based on economic capital. In the insurance part of our business, we are also judged on returns on economic capital. However, I am fairly reluctant in most cases to do pricing on economic capital at this point in time since I am certain that our understanding of its effective use is not yet well developed enough to be using it as a tool. We are more comfortable that it works for shorter tail business and can be changed for new business. However, does it work for longer tail business and what are the implications of its adoption? We want to make sure that we are comfortable first before moving to a different process. From where I sit, in terms of our organization, it is trying to fit all of those pieces into what the organization is doing, and also making sure that it makes sense for the insurance business. It requires a lot of communicating and trying to identify the various issues and ensuring that we are satisfied we understand each of our businesses and how people think so that we can come out with the best processes at the end of the day.

Gaetano: A similar question that I asked Dave, you don't have in your approach, which I guess is a combination of top–down and bottom–up, you don't have people coming up with different definitions of economic capital.

Grant: No, our definition of economic capital would be consistent across the organization.

Gaetano: So, it's a top–down approach, so that everyone is operating from the same score sheet.

Grant: Yes.

Gaetano: Doug, what do you think about the idea of operational risk and also alignment with the significant stakeholder of shareholders?

Doug: I think that the question of alignment is particularly important. Again, one of the key values of Enterprise Risk Management is being able to articulate to your stakeholders both your philosophy and approach to managing risks in an organization and also communicating the results clearly and on a consistent basis to those stakeholders. In terms of the insurance industry, other industries and where we're going in the future–just a couple of points. I think to turn the question about comparison to other industries around, I would say you can always learn from what other industries are doing and what other companies are doing. In addition to that, one of the key elements of risk management is to ensure that there are different perspectives brought to the table when looking at any particular issue. People in a particular profession or in a particular business line will tend to have tunnel vision in certain respects–even actuaries. So, it's very important to bring in different perspectives and sometimes what appears to be a simple question from a different perspective can open up your eyes to areas of risk that need to be considered. So, I think it's very important to learn from other industries. I also think that when it comes to the general approach and principles in managing risk, there's a lot of consistency across different types of businesses, but the way those are reflected in the actual processes and tools that are developed, managed risk can look very different. An example of that: I talked about working with the regulators to develop an economic capital approach to assessing capital adequacy–in the case of the Canadian regulator–they're very much looking at the approach that has been taken with the banks in the Basil approach and trying to employ those principles, which I think is quite appropriate and can be done. But the way those unfold, because of the differences between insurance–based organizations and banking–based organizations, can look very different because of some of the key characteristics of the insurance business, which are: they're long–term businesses, long–term liabilities and not particularly transaction oriented. Whereas the banks are heavily transaction oriented and shorter term and those two mean that the actual tools and quantitative approaches that are appropriate may look very different and yet the underlying principles are consistent.

Gaetano: Very interesting. Anyone want to comment on that?

Sim: The industries that have moved ahead are those that did so because they suffered more failures, due to poor management of risk. I think you see this at the company level, too. Those companies that are farther ahead in ERM, in many cases, have made a defensive move or a reactive response.

Dave: I'd say historically, one of the other factors that's influenced where resources have gone, particularly in things like economic capital, is that the regulatory regime we've had in insurance in the United States and Canada, with the way that there's been a risk–based capital requirement, has helped get insurance, in those two countries, ahead of other parts of the world in looking at risk and risk management and in some respects ahead of some of the things banks were doing. Because it was a good system, it kept us in insurance in North America from spending a lot of time looking to develop a better system.

Gaetano: That's a good point, Dave. We've often forgotten that the regulatory system, as much as a lot of us have complained about it, has also helped in terms of the governance of the overall industry and also helped with the creation of better definitions of economic capital and how to apply economic capital in our industry.

Let's move on to the last questions: "What characteristics make a good CRO?" and "From your various positions, what advice would you give to others contemplating the launch of ERM in their companies?"

Grant: From my perspective, a good CRO is someone who has had experience in a number of lines of business and divergent roles in those businesses. This helps you get a good understanding of the underlying risks. It helps to have had enough tenure to have experienced some cycles in the business. It could be a 10–, 15– or 20–year cycle, depend–ing on the circumstances. I think inquisitiveness is important, tenacity and the willingness to stand up for what you believe in and trying to get to the bottom of things.

In terms of the last question, which is really around developing the entire process, it would be important to get an understanding of what other organizations have already done. I think the next task issue I would tackle is to develop a risk framework. Not only the risk framework from all the verbiage, but also a pictorial presentation, since I find that it makes things clearer. It is essential to have senior management, across all the business lines, and the board of directors' buy–in. I think that if you're putting together a team of risk professionals, I would make sure I balance it with some technical people as well as some people who have experience in the businesses.

Gaetano: How about you, Doug?

Doug: I was hoping Grant was going to stop because I was ticking off the points I had jotted down and they were almost identical! Essentially, I agree with everything Grant said. Just to emphasize a couple of elements: the aspect of business knowledge and experience I think is particularly significant in terms of what is necessary. Especially when it comes to the importance of operational and reputational issues–I think business knowledge is particularly critical there. It's also critical regarding understanding product risks and so on.

Grant used the term inquisitiveness. What I had written down was "constructive skepticism." I think it's very important to ask all the questions and keep asking the questions, but in as constructive a way as possible. I think communication is another important attribute, because communication is required between technical and non–technical audiences. In terms of advice, I think one of the key things is to prioritize, you can't take on everything all at once. You have to pick your spots, but doing that within a framework that ensures that you are tackling the priority items. So, it's important to have a sense of the overall framework, but then to prioritize. It's important to look at the overall picture and have an overall vision of where you're going, but then there are limits to resources and attention spans, so it's important to prioritize.

Gaetano: How about you, Sim?

Sim: I like Grant's point about the tenure and the cycles, to have people that have been through some wars. If you've seen things break down before, that kind of experience is very helpful. For example, the captain of the Titanic was selected for the prestigious maiden voyage due to his seniority. However, throughout his long career, he had never seen any real threat of disaster, and he had a limited ability to manage it when it occurred, and he made a number of mistakes, as we all know.

Leadership skills are critical, especially in terms of change management–influencing change, building consensus and communicating with a broad range of stakeholders. A CRO also has to have a comfort level with incomplete data and imperfect modeling, something actuaries are generally uncomfortable with. Also, the ability to handle the people issues and a practicality needed for implementation is vital. A lot of adjustments must be made along the way and a good CRO can make those adjustments and set up the right incentives.

Gaetano: Dave, you have the last word.

Dave: I'll repeat a list I put together a couple of months ago for some discussion I was having on this. It does repeat a lot of what people have already said, but: A CRO needs to be imaginative, a modeler, a communicator, needs to command respect, needs to be a visionary, a champion, needs to have business judgment, people skills, needs to be a learner, a facilitator, needs to be curious, needs to be an auditor, needs to be a skeptic, needs to be a financial analyst, needs to be open–minded, needs to be a team builder and a teacher. There's a number of other things that people mentioned that aren't on this list, so I'm going to expand this list the next time I bring it out.

Gaetano: I want to thank each of you for taking the time to participate in this discussion. I have enjoyed it and learned a lot. Thank you.